I have done some digging and haven't really seen anything, so if it has been posted, im sorry.
Currently we have a /29, the fortigate ends with a 234. I have a couple diff vlans, traffic wise that g out separate IP's. I would like to make all VPN traffic on the 236 vs the default 234 ip that is the fortigate, is this possible?
So it looks like im sticking with that default IP. i would think at this point we would be able to decide what IP we want this to listen on especially since all the publics will typically be on that one interface anyway.
You can do it and make a different IP work without using a VIP, but it's a little weird.
I create secondary IPs on the wan interface, and use one of them for SSL-VPN. Use local-in-policy to block any SSL to the primary IP and allow it just to the secondary IP. The SSL-VPN will tell you it is listening on the primary IP but it is actually listening on the interface and will accept the SSL connection on the secondary IP.
Not sure if there is a cleaner/better way to this. Would love to hear it if there is.
So I have a slightly different situation where I'm doing BGP with 2 different ISPs and want my SSL VPN to still work when one or the other goes down. What I ended up doing is creating a loopback interface for my VPN to listen on and then creating a VIP from my public, BGP-announced subnet that NATs to that loopback IP. I think that may be a cleaner option for both of y'all even though you're not necessarily dealing with the 2 ISPs issue.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.